Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Token Exchange Grant Support for a particular audience in the same realm #248

Closed
natalie-o-perret opened this issue Dec 29, 2023 · 2 comments
Closed

Feature Request: Token Exchange Grant Support for a particular audience in the same realm #248

natalie-o-perret opened this issue Dec 29, 2023 · 2 comments

Comments

@natalie-o-perret
Copy link

natalie-o-perret commented Dec 29, 2023
edited
Loading

🙋‍♀️ Hello @AnWeber ,

First off, thanks for your project, it's really awesome and fits exactly our needs at work without the whole enshittification that many tools suffer in this domain.

As described in this section, there is a support for the OAuth2 Token Exchange grant, that being said, it seems it's only for the case of a different realm and not for a particular audience in the same realm as the initial access token.

I think it would be great that the token exchange auth could support a different audience in the same-or-a-different realm, wdyt?

In our case we need to do this kind of work around:

### Get Access Token
# @name getAccessToken
POST {{keycloakTokenUrl}} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {{sso_clientId}} {{sso_clientSecret}}
grant_type=client_credentials

### Get Exchange Token
# @name getExchangeToken
# @forceRef getAccessToken
POST {{keycloakTokenUrl}} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {{sso_clientId}} {{sso_clientSecret}}
grant_type=urn:ietf:params:oauth:grant-type:token-exchange&audience={{sso_TargetAudience}}&subject_token={{getAccessToken.access_token}}
# @import ../api_keycloak.http

### Get Entities
# @name getEntities
# @forceRef getExchangeToken
@dateStart=2023-11-01T00:00:00
@dateStop=2023-12-02T00:00:00
@pageIndex=1
@pageSize=3
GET {{apiHost}}/api/v1/entities
    ?dateStart={{dateStart}}
    &dateStop={{dateStop}}
    &pageIndex={{pageIndex}}
    &pageSize={{pageSize}}
Authorization: Bearer {{getExchangeToken.access_token}}

Also I think it would be best if the example shows the details of the definition about auth_realm.
@AnWeber
Copy link
Owner

AnWeber commented Dec 29, 2023
edited
Loading

it's only for the case of a different realm and not for a particular audience in the same realm as the initial access token.

Yes, my use case for the token exchange was to change token to another realm. Do you have a suggestion on how the API should be adapted so that I can map your use case? I think it should be enough to include the audience in this request. The parameters requested_token_type and subject_token_type should also be valid for your use case, right? https://github.com/AnWeber/httpyac/blob/main/src/plugins/oauth2/flow/tokenExchangeFlow.ts#L31-L32

@natalie-o-perret I added audience and resource props to token exchange flow. Please test if your use case works.

AnWeber added a commit to AnWeber/httpyac that referenced this issue Dec 29, 2023
@AnWeber
feat: add audience and resource to OAuth2 token exchange flow (An…
cef317c 
…Weber/vscode-httpyac#248)
@natalie-o-perret
Copy link
Author

You're absolutely fantastic!!!
Works like a charm!

Thanks a ton!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@natalie-o-perret @AnWeber